Facebook adds one-time password and remote sign-out capabilities

Facebook has announced security and privacy features to improve user experience and make it more secure.

Writing on the Facebook blog, Jake Brill, a product manager for Facebook's site integrity team, said that the aim with the three new ventures was to make the user 'experience on Facebook more secure'. The first major launch is one-time passwords (OTP), where Facebook will text an OTP to a user on a public network instead of their regular password.

He said: “Simply text 'otp' to 32665 on your mobile phone and you'll immediately receive a password that can be used only once and expires in 20 minutes. In order to access this feature, you'll need a mobile phone number in your account. We're rolling this out gradually, and it should be available to everyone in the coming weeks.”

The social networking site has also added the ability to sign out remotely to all users, with active sessions displayed, along with information about each session. “In the unlikely event that someone accesses your account without your permission, you can also shutdown the unauthorised login before resetting your password and taking other steps to secure your account and computer,” Brill said.

Finally, when people login to Facebook they will regularly be prompted to keep their security information updated and if access is ever lost, the verification process will confirm the user's identity.

Rik Ferguson, senior security advisor at Trend Micro, said that the changes were 'very welcome'. He said: “Regular prompting is good, don't wait for Facebook to prompt you though, visit this page to update your information now (you can also add a mobile phone number here). Kudos to the folk over at Facebook for taking account security seriously, good job.”

Graham Cluley, senior technology consultant at Sophos, questioned the practicality of the OTP system, claiming that if someone else is able to gain access to a user's phone and they have not locked it with a password to prevent SMS texts being sent it could pose a problem, as could if someone changes the mobile phone number on an account with unlimited account access.

He said: “Yes, there is a very real problem with Facebook users accessing their accounts from insecure computers, and having their credentials stolen as a result and Facebook's OTP scheme does provide some protection against that.

“But that doesn't mean that the one-time password system guarantees 100 per cent security, and indeed - under some circumstances - it could be exploited by people who want to hack into your account.

“Maybe next time you're in a cyber cafe or sitting in front of an unknown computer you should just wait until you're on a PC that you're more confident has been kept up-to-date with anti-virus software and security patches. Now wouldn't that be a good idea?”

SC Media UK arms cyber-security professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.